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DESCRIPTION 



INFORMATION DISTRIBUTION SYSTEM 



5 TECHNICAL FIELD 

[0001] The present invention relates to a system for 
distributing information and a terminal device and a distribution 
device used for the same, and more particularly to a system for 
distributing information using broadcast and a terminal device 
10 and a distribution device used for the same. 



BACKGROUND ART 

[0002] With the current digital broadcast, an encrypted content 
is decrypted when being received, so that the content can basically 

15 be viewed only in real time. Therefore, with the current digital 
broadcast, even if a broadcast content is purchased and recorded 
but is not viewed later, a payment must be made for the content. 
Such a service is not highly convenient to the users. In light 
of such a situation, server-based broadcast standards are now being 

20 defined for a new service which is highly convenient to the users. 
[0003] The server-based broadcast adopts a system of 
accumulating encrypted contents as they are in a hard disc drive 
or the like, acquiring a content key via broadcast or communication, 
and decrypting the accumulated encrypted contents at the time of 

25 reproduction. By this system, an accumulated content which was 
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not viewed later does not need to be purchased. The user only 
needs to pay for the content which was viewed, and thus a service 
which is highly convenient to the users can be realized. The 
server-based broadcast is described in detail in, for example, 
5 STD-B25 published f rom ARIB (Association of Radio Industries and 
Businesses) . 

[0004] With such server-based broadcast capable of providing 
a variety of services, it is conceivable to distribute information 
relating to PKI (Public Key Infrastructure) (hereinafter, such 
10 information will be referred to as "PKI-related information") via 
broadcast for, for example, authenticating users or terminals, 
or verifying signatures in order to confirm the authenticity of 
various types of data. 

[0005] Patent Document 1 describes a system for efficiently 
15 distributing PKI-related information by simultaneously 
distributing PKI-related information such as a CRL (Certificate 
Revocation List) or the like via broadcast. 

Patent Document 1: Japanese Laid-Open Patent 
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Publication No. 2002-319934 



DISCLOSURE OF THE INVENTION 

PROBLEMS TO BE SOLVED BY THE INVENTION 

[0006] However, with the conventional system, the use of 
contents and the acquisition of PKI-related information are not 
25 associated with each other. Therefore, a forcing power cannot 
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be exerted on the terminal device regarding the receipt of 
PKI-related information and thus security may occasionally not 
be guaranteed. For example, there occurs a situation where a 
content can be reproduced by a terminal device even if the latest 
CRL is not received. In this way, illegal servers and terminals 
cannot be invalidated with certainty. 

[0007] Accordingly, an object of the present invention is to 
provide a system for allowing, with certainty, a terminal device 
to acquire PKI-related information, which is distributed without 
any association with the use of the content, and the terminal device 
and a distribution device used for the same. 



SOLUTION TO THE PROBLEMS 

[0008] To achieve the above object, the present invention has 
15 the following aspects. The present invention is directed to an 
information distribution system including a distribution device 
for distributing a content and a terminal device for receiving 
the content distributed from the distribution device. The 
distribution device transmits information regarding a PKI-related 
information acquisition instruction for requesting the terminal 
device to acquire latest PKI-related information together with 
information required for using the content. The terminal device. 



when receiving the PKI-related information acquisition 
instruction transmitted from the distribution device, acquires 
25 the latest PKI-related information. 
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[0009] According to the present invention, the PKI-related 
information acquisition instruction is transmitted together with 
the information required for using the content. Therefore, the 
terminal device can acquire the PKI-related information in 
5 association with the use of the content, and also can receive the 
PKI-related information to be forcibly acquired with certainty. 
[0010] Preferably, the distribution device may include a 
PKI-related information acquisition instruction broadcast unit 
operable to broadcast information regarding the PKI-related 

10 information acquisition instruction for requesting the terminal 
device to acquire the latest PKI-related information together with 
the information required for using the content; and the terminal 
device may include a PKI-related information acquisition unit 
operable to acquire the latest PKI-related information when 

15 receiving the information regarding the PKI-related information 
acquisition instruction which is broadcast. 

[0011] Thus, the distribution device instructs the terminal 
device to acquire the PKI-related information together with the 
information required for using the content. In accordance with 

2 0 this, the terminal device acquires the PKI-related information. 
Accordingly, the PKI-related information, which is distributed 
without any association with the use of the content, can be 
associated with the use of the content. As a result, the 
PKI-related information can be received by the terminal device 

25 with certainty. 
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[0012] Preferably, the distribution device may further include 
a PKI-related information transmission unit operable to transmit 
the latest PKI-related information via a communication network 
in response to the request from the PKI-related information 
5 acquisition unit; and the PKI-related information acquisition unit 
may receive the latest PKI-related information transmitted from 
the distribution device. 

[0013] Thus, the terminal device acquires the latest 
PKI-related information via a communication network by using the 
10 broadcast PKI-related information acquisition instruction as a 
trigger. 

[0014] For example, the PKI-related information transmission 
unit may transmit the latest PKI-related information as being 
included in a message of a SAC (Secure Authenticated Channel) 
15 protocol. 

[0015] Thus, the PKI-related information can be acquired with 
certainty in a secure communication, and the security is 
reinforced. 

[0016] Preferably, the PKI-related information acquisition 
20 instruction broadcast unit may broadcast a connection destination 
for acquiring the latest PKI-related information via communication 
together with the information regarding the PKI-related 
information acquisition instruction. 

[0017] Thus, the terminal device can acquire the PKI-related 
25 information by making a connection to the designated connection 
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destination. Typically, the distribution device is designated 
as the connection destination. 

[0018] Preferably, the distribution device may further include 
a PKI-related information broadcast unit operable to broadcast 
5 the PKI-related information as being multiplexed to a broadcast 
signal; and the PKI-related information acquisition unit may 
acquire the latest PKI-related information broadcast as being 

mu 

information acquisition instruction which is broadcast. 



Itiplexed to the broadcast signal based on the PKI-related 



10 [0019] Thus, the terminal device acquires the latest 
PKI-related information via broadcast by using the broadcast 
PKI-related information acquisition instruction as a trigger. 
[0020] Forexample, the PKI-related information broadcast unit 
may broadcast the PKI-related information as being included in 

15 a private section of MPEG-2 Systems. 

[0021] Forexample, the PKI-related information broadcast unit 
may broadcast the PKI-related information as being included in 
a data carousel . The data carousel is described in detail in ARIB 
STD-B24 . 

20 [0022] Preferably, the PKI-related information acquisition 
instruction broadcast unit may broadcast an acquisition source 
(channel, etc. ) through which the latest PKI-related information 
is acquired via broadcast together with the information regarding 
the PKI-related information acquisition instruction. 

25 [0023] Thus, the terminal device can acquire the PKI-related 
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information from the broadcast channel designated as the 
acquisition element. In one embodiment, an engineering slot 
(engineering transport stream) is designated as the acquisition 
source . 

5 [0024] Preferably, the PKI-related information acquisition 
instruction broadcast unit may broadcast the information regarding 
the PKI-related information acquisition instruction as being 
included in an ECM (Entitlement Control Message: common 
information) or an EMM (Entitlement Management Message : individual 
10 information) , each of which is used in conditional access systems, 
and as being multiplexed to the ECM or the EMM. The ECM and the 
EMM are described in detail in ARIB STD-B25. 

[0025] Thus, the PKI-related information acquisition 
instruction can be received simultaneously with the ECM or the 
15 EMM as a license (right of use, contract information, etc.) which 
is information indispensable for using the content. Therefore, 
the forcing power for updating the PKI-related information is 
increased. 

[0026] For example, the information regarding the PKI-related 
20 information acquisition instruction is a flag indicating the 
PKI-related information acquisition instruction; and the 
PKI-related information acquisition unit may refer to the flag 
to determine whether or not to acquire the latest PKI-related 
information . 

25 [0027] For example, the information regarding the PKI-related 
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information acquisition instruction is either an expiration time, 
a creation time and date, aversion, a size or a number of certificate 
entries of the PKI-related information, or a combination thereof; 
and the PKI-related information acquisition unit may determine 
5 whether or not to acquire the latest PKI-related information by 
comparing either the expiration time, the creation time and date, 
the version, the size or the number of certificate entries of the 
PKI-related information stored in the terminal device or a 
combination thereof with the information regarding the PKI-related 

10 information acquisition instruction. 

[0028] Preferably, the PKI-related information acquisition 
unit, when determining that the PKI-related information has been 
updated as a result of the comparison, may acquire the latest 
PKI-related information. 

15 [002 9] Thus, when the PKI-related information is updated, the 
terminal device acquires the latest PKI-related information. 



[0030] Preferably, the PKI-related information acquisition 
unit may further acquire the latest PKI-related information from 
the distribution device periodically. 
20 [0031] Thus, in the case where, for example, the PKI-related 
information is acquired from the distribution device via 
communication connection in accordance with the PKI-related 
information acquisition instruction, the load of the distribution 

device is dispersed. 
25 [0032] For example, the PKI-related information may be a CRL 



• 



(Certificate Revocation List) . The CRL is described in detail 
in ITU X. 509. 

[0033] For example, the PKI-related information may be a public 
key certificate . The public key certificate is described in detail 

5 in ITU X. 509. 

[0034] Preferably, the distribution device may further include 

a PKI-related information update determination unit operable to 
determine whether or not the PKI-related information stored therein 
has been updated; and the PKI-related information acquisition 

10 instruction broadcast unit, when the PKI-related information 
update determination unit determines that the PKI-related 
information has been updated, may broadcast the information 
regarding the PKI-related information acquisition instruction 
together with the information required for using the content. 

15 [0035] Thus, when the PKI-related information is updated, the 
terminal device is allowed to acquire the PKI-related information . 
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[0036] Preferably, the PKI-related information acquisition 
unit may re-try to acquire the PKI-related information until a 
predetermined condition is fulfilled. 

[0037] Thus, even when a communication abnormality occurs, the 
PKI-related information can be acquired with certainty. 
[0038] Preferably, when the PKI-related information cannot be 
acquired even after the re-tries performed by the PKI-related 
information acquisition unit, at least a part of the processing 
25 regarding the use of the content may be restricted. 
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[0039] Thus, the use of the content is restricted unless the 
PKI-related information is acquired. Therefore, the forcing 
power for acquiring the PKI-related information is increased. 
[0040] Preferably, the distribution device may include a 
PKI-related information broadcast unit operable to broadcast 
PKI-related information as beingmultiplexed to a broadcast signal; 
and a PKI-related information acquisition instruction 
transmission unit operable to transmit, to the terminal device 
via communication, the information regarding the PKI-related 
information acquisition instruction for requesting the terminal 
device to acquire the latest PKI-related information together with 
the information required for using the content; and the terminal 
device may includes a PKI-related information acquisition unit 
operable to acquire the PKI-related information which is broadcast 
15 when the information regarding the PKI-related information 
acquisition instruction is transmitted from the distribution 

device . 

[0041] Thus, the distribution device instructs the terminal 
device to acquire the PKI-related information . In accordance with 
this, the terminal device acquires the PKI-related information 
via broadcast. Accordingly, the terminal device can acquire the 
latest PKI-related information, which is distributed without any 
association with the use of the content via broadcast, with 
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certainty by using the PKI-related information acquisition 
25 instruction transmitted together with the information required 
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for using the content as a trigger. 

[0042] For example, the PKI-related information acquisition 
instruction transmission unit may transmit the information 
regarding the PKI-related information acquisition instruction as 
5 being included in a message of a SAC protocol to the terminal device . 



[0043] For example, the PKI-related information acquisition 
instruction transmission unit may include the information 
regarding the PKI-related information acquisition instruction in 
a license transmitted via the SAC protocol. 
10 [0044] For example, the PKI-related information broadcast unit 

may broadcast the PKI-related information as being included in 
a private section of MPEG-2 Systems. 

[0045] For example, the PKI-related information broadcast unit 
may broadcast the PKI-related information as being included in 

15 a data carousel. 

[0046] Preferably, the PKI-related information acquisition 
instruction transmission unit may transmit an acquisition source 
through which the latest PKI-related information is acquired via 
broadcast together with the information regarding the PKI-related 

20 information acquisition instruction. 

[0047] Thus, the terminal device can acquire the PKI-related 
information from the designated acquisition source. In one 



embodiment, an engineering slot is designated as the acquisition 



source . 



25 [0048] For example, the information regarding the PKI-related 
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information acquisition instruction is a flag indicating the 
PKI-related information acquisition instruction; and the 
PKI-related information acquisition unit may refer to the flag 
to determine whether or not to acquire the latest PKI-related 
5 information. 

[0049] For example, the information regarding the PKI-related 
information acquisition instruction is either an expiration time, 
a creation time and date, aversion, a size or a number of certificate 
entries of the PKI-related information, or a combination thereof; 

10 and the PKI-related information acquisition unit may determine 
whether or not to acquire the latest PKI-related information by 
comparing either the expiration time, the creation time and date, 
the version, the size or the number of certificate entries of the 
PKI-related information stored in the terminal device or a 

15 combination thereof with the information regarding the PKI-related 
information acquisition instruction. 



[0050] Preferably, the PKI-related information acquisition 
unit, when determining that the PKI-related information has been 
updated as a result of the comparison, may acquire the latest 
20 PKI-related information. 

[0051] Thus, when the PKI-related information is updated, the 
terminal device acquires the latest PKI-related information. 



[0052] Preferably, the PKI-related information acquisition 
unit may further acquire the latest PKI-related information which 
25 is broadcast from the distribution device periodically. 
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[0053] Thus, the determinacy at which the PKI-related 
information is acquired is increased. 

[0054] For example, the PKI-related information may be a CRL. 
[0055] For example, the PKI-related information may be a public 

5 key certificate. 

[0056] Preferably, the distribution device may further include 

a PKI-related information update determination unit operable to 
determine whether or not the PKI-related information stored therein 
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has been updated; and the PKI-related information acquisition 
instruction transmission unit, when the PKI-related information 
update determination unit determines that the PKI-related 
information has been updated, may transmit the information 
regarding the PKI-related information acquisition instruction 
together with the information required for using the content. 
15 [0057] Thus, when the PKI-related information is updated, the 
terminal device is allowed to acquire the PKI-related information . 



[0058] Preferably, the PKI-related information acquisition 
unit may re-try to acquire the PKI-related information until a 

predetermined condition is fulfilled. 
20 [0059] Thus, even when a communication abnormality occurs, the 

PKI-related information can be acquired with certainty. 
[0060] Preferably, when the PKI-related information cannot be 
acquired even after the re-tries performed by the PKI-related 
information acquisition unit, at least a part of the processing 
25 regarding the use of the content may be restricted. 
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[0061] Thus, the use of the content is restricted unless the 
PKI-related information is acquired. Therefore, the forcing 
power for acquiring the PKI-related information is increased. 
[0062] The present invention is also directed to a terminal 
5 device for receiving a content distributed from a distribution 
device. The terminal device acquires the latest PKI-related 
information when receiving, together with information required 
for using the content, information regarding a PKI-related 
information acquisition instruction for requesting the terminal 
device to acquire the latest PKI-related information transmitted 
from the distribution device. 

[0063] Preferably, the terminal device may comprise a 
PKI-related information acquisition instruction receiving unit 
operable to receive the information regarding the PKI-related 
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15 information acquisition instruction for requesting acquisition 
of the latest PKI-related information which is broadcast as being 
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Itiplexed to a broadcast signal; and a PKI-related information 
acquisition unit operable to acquire PKI-related information which 
is broadcast from the distribution device when the PKI-related 
20 information acquisition instruction receiving unit receives, 
together with the information required for using the content, the 
information regarding the PKI-related information acquisition 
instruction . 

[0064] Preferably, the terminal device may comprise a 
25 PKI-related information acquisition instruction receiving unit 
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operable to receive the information regarding the PKI-related 
information acquisition instruction which is transmitted from the 
distribution device via communication; and a PKI-related 
information acquisition unit operable to acquire PKI-related 
5 information which is broadcast from the distribution device when 



the PKI-related information acquisition instruction receiving 
unit receives, together with the information required for using 
the content, the information regarding the PKI-related information 
acquisition instruction. 
10 [0065] Preferably, the terminal device may comprise a 
PKI-related information acquisition instruction receiving unit 
operable to receive the information regarding the PKI-related 
information acquisition instruction for requesting acquisition 
of the latest PKI-related information which is broadcast; and a 
15 PKI-related information acquisition unit operable to acquire the 
latest PKI-related information from the distribution device via 
communication when the PKI-related information acquisition 
instruction receiving unit receives the information regarding the 
PKI-related information acquisition instruction. 
20 [0066] The present invention is also directed to a distribution 

device for distributing a content to a terminal device. The 
distribution device transmits, together with information required 
for using the content, information regarding a PKI-related 
information acquisition instruction for requesting the terminal 
25 device to acquire latest PKI-related information. 
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[0067] Preferably, the distribution device may comprise a 
PKI-related information broadcast unit operable to broadcast 
PKI-related information as beingmultiplexed to a broadcast signal ; 
and a PKI-related information acquisition instruction broadcast 
5 unit operable to broadcast, together with the information required 
for using the content, the information regarding the PKI-related 
information acquisition instruction for requesting the terminal 
device to acquire the latest PKI-related information. 
[0068] Preferably, the distribution device may comprise a 

10 PKI-related information broadcast unit operable to broadcast 
PKI-related information as beingmultiplexed to a broadcast signal ; 
and a PKI-related information acquisition instruction 
transmission unit operable to transmit, together with the 
information required for using the content, the information 

15 regarding the PKI-related information acquisition instruction for 
requesting the terminal device to acquire the latest PKI-related 
information, to the terminal device via communication. 
[0069] Preferably, the distribution device may comprise a 
PKI-related information acquisition instruction broadcast unit 

20 operable to broadcast the information regarding the PKI-related 
information acquisition instruction for requesting the terminal 
device to acquire the latest PKI-related information, and may cause 
the terminal device to acquire the latest PKI-related information 
via communication. 



25 
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EFFECT OF THE INVENTION 

[0070] According to the present invention, when the PKI -related 
information is updated in the distribution device, the terminal 
device necessarily acquires the latest PKI-related information. 
5 Therefore, a system for allowing, with certainty, the terminal 
device to acquire the PKI-related information, which is distributed 
without any association with the use of the content, is provided. 
Thus, the security is guaranteed and also the cost for distributing 
the PKI-related information is reduced. Especially since the 
10 information for instructing acquisition of the PKI-related 
information is included in the ECM, EMM, license or the like which 
is indispensable for using the content, the latest PKI-related 
information is acquired without fail. 

[0071] These and other objects, features, aspects and 
15 advantages of the present invention will become more apparent from 
the following detailed description of the present invention when 
taken in conjunction with the accompanying drawings. 



BRIEF DESCRIPTION OF THE DRAWINGS 
20 [0072] [FIG. 1] FIG. 1 is a block diagram showing a functional 

structure of an information distribution system according to a 

first embodiment of the present invention. 

[FIG. 2] FIG. 2 shows a data structure of an ECM 

generated by an ECM generation section 102 of a distribution device 
25 100. 
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[FIG. 3] FIG. 3 is a flowchart showing an operation 
of the distribution device 100 and a terminal device 200 of the 
information distribution systemaccording to the first embodiment . 

[FIG. 4] FIG. 4 is a block diagram showing a functional 
structure of an information distribution system according to a 
second embodiment of the present invention. 

[FIG. 5] FIG. 5 shows a data structure of an ECM 
generated by an ECM generation section 102 of a distribution device 
110 . 

[FIG- 6] FIG. 6 is a flowchart showing an operation 
of the distribution device 110 and a terminal device 210 of the 
information distribution system according to the second 
embodiment . 

[FIG. 7] FIG. 7 is a block diagram showing a functional 
structure of an information distribution system according to a 
third embodiment of the present invention . 

[FIG. 8] FIG. 8 shows a data structure of a 
communication message transmitted from a distribution device 120 . 

[FIG. 9] FIG. 9 is a flowchart showing an operation 
of the distribution device 120 and a terminal device 220 of the 
information distribution system according to the third embodiment - 

DESCRIPTION OF THE REFERENCE CHARACTERS 
[0073] 100, 110, 120 distribution device 

200, 210, 220 terminal device 
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101 ECM information accumulation section 

102 ECM generation section 

103^ 113, 122 broadcast signal multiplex and 

transmission section 
5 104 PKI-related information acquisition instruction 

addition determination section 

105 PKI-related information accumulation section 
106, 124 information acquisition request processing 

section 

10 107 first communication section 

111, 121 PKI-related information reading section 
123 information acquisition instruction addition 

determination section 

125 license accumulation section 
15 201 channel selection section 

202, 212, 221 broadcast signal receiving and separation 

section 

203, 211, 222 PKI-related information selective 

receiving section 
20 204 ECM acquisition section 

205, 224 PKI-related information acquisition 

determination request section 

206 PKI-related information holding section 

207 second communication section 

25 208, 223 PKI-related information update section 
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225 license information acquisition section 

226 license request section 



BEST MODE FOR CARRYING OUT THE INVENTION 
5 [0074] (First Embodiment) 

FIG. 1 is a block diagram showing a functional structure 
of an information distribution system according to a first 
embodiment of the present invention. In FIG. 1, the information 
distribution system includes a distribution device ICQ and a 

10 terminal device 200. One terminal device 200 is shown in FIG. 1, 
but two or more terminal devices 200 may be provided. In such 
a case, each terminal device needs to be able to receive broadcast 
from the distribution device 100 and to be communicable with the 
distribution device 100 via a communication network. 

15 [0075] The distribution device 100 includes an ECM information 
accumulation section 101, an ECM generation section 102, a 
broadcast signal multiplex and transmission section 103, a 
PKI-related information acquisition instruction addition 
determination section 104, a PKI-related information accumulation 

20 section 105, an information acquisition request processing section 
106, and a first communication section 107. 

[0076] The ECM information accumulation section 101 stores 
information required for generating an ECM (Entitlement Control 
Message: common information) (hereinafter, such information will 
25 be referred to as "ECM information"). 
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[0077] The PKI-related information accumulation section 105 
stores PKI-related information such as a CRL or the like. 

[0078] The PKI-related information acquisition instruction 
addition determination section 104 determines whether or not the 
5 CRL has been updated, and determines whether or not information 
regarding an instruction for acquiring the PKI-related information 

(hereinafter, such information will be referred to as a 
"PKI-related information acquisition instruction") is to be added 
to the ECM. 

10 [0079] The ECM generation section 102 acquires the ECM 
information stored in the ECM information accumulation section 
101, and when necessary, adds the PKI-related information 
acquisition instruction to the ECM information to generate an ECM 
to be transmitted and transfers the ECM to the broadcast signal 

15 multiplex and transmission section 103. 

[0080] The broadcast signal multiplex and transmission section 
103 broadcasts a broadcast signal of a content of MPEG-2 or the 
like and an ECM as being multiplexed to each other in an MPEG-2 

transport stream (TS) . 

20 [0081] The first communication section 107 is connected with 
the terminal device 200 via the Internet or the like. The first 
communication section 107 transfers a PKI-related information 
acquisition request transmitted from the terminal device 200 to 
the information acquisition request processing section 106. 

25 [0082] When the PKI-related information acquisition request 
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is issued by the terminal device 200, the information acquisition 
request processing section 106 acquires necessary PKI-related 
■ information from the PKI-related information accumulation section 
105 and responds to the terminal device 200 via the first 
5 communication section 107. 

[0083] The terminal device 200 includes a channel selection 
section 201, a broadcast signal receiving and separation section 
202, a PKI-related information selective receiving section 203, 
an ECM acquisition section 204, a PKI-related information 
10 acquisition determination request section 205, a PKI-related 
information holding section 206, a second communication section 
207, and a PKI-related information update section 208. 
[0084] The PKI-related information holding section 206 stores 
the PKI-related information such as a CRL, a public key certificate 
15 of the like acquired from the distribution device 100, and uses 
the PKI-related information to, for example, authenticate a server 
for distributing a license or another terminal on the home network. 
[0085] The channel selection section 201 selects a channel of 
the content to be reproduced. 
20 [008 6] The broadcast signal receiving and separation section 
202 separates, from the TS selected by the channel selection section 
201, a content TS, an ECM TS, a PKI-related information TS 
multiplexed as a private section, and the like. The broadcast 
signal receiving and separation section 202 transfers the ECM TS 
25 and the PKI-related information TS, which have been separated. 
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to the PKI-related information selective receiving section 203 
and the ECM acquisition section 204 . The content TS is transferred 
to a content acquisition section not shown in FIG. 1. 
[0087] In accordance with an instruction from the user, the 
5 PKI-related information selective receiving section 203 acquires 
the PKI-related information TS from the broadcast signal to 
re-construct the PKI-related information, and transfers the 
re-constructed PKI-related information to the PKI-related 
information update section 208 . Even when there is no PKI-related 
10 information acquisition instruction from the distribution device 
100, the PKI-related information selective receiving section 203 
acquires PKI-related information when necessary. However, there 
can be a case where PKI-related information cannot be acquired 
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Lth certainty due to, for example, broadcast abnormality or 



15 acquisition interception of the PKI-related information by a 
malicious user. 

[0088] The ECM acquisition section 204 acquires the ECM 
separated by the broadcast signal receiving and separation section 
202 and transfers the ECM to the PKI-related information 
acquisition determination request section 205. Here, the ECM 



itself is transferred to the PKI-related information acquisition 
determination request section 205. Alternatively, only in the 



case where the ECM includes a PKI-related information acquisition 
truction, the PKI-related information acquisition instruction 



ms 



25 in the ECM may be transferred to the PKI-related information 
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acquisition determination request section 205. 

[0089] In the case where the ECM includes the PKI-related 
information acquisition instruction, the PKI-related information 
acquisition determination request section 205 refers to the 
5 PKI-related information stored, in the PKI-related information 
holding section 20 6 to determine whether or not to acquire the 
PKI-related information. When determining that the PKI-related 
information should be acquired, the PKI-related information 
acquisition determination request section 205 causes the second 

10 communication section 207 to transmit a PKI-related information 
acquisition request to the distribution device 100. 
[0090] The second communication section 207 receives the 
PKI-related information transmitted from the distribution device 
100 in response to the PKI-related information acquisition 

15 determination request, and transfers the PKI-related information 
to the PKI-related information update section 208. The 
communication with the distribution device 100 is performed after 
a SAC is established in order to guarantee the security of 
communication . 

20 [0091] The PKI-related information update section 208 stores 
the PKI-related information transferred from the PKI-related 
information selective receiving section 203 or the second 
communication section 207 in the PKI-related information holding 



se 



ction 206, and updates the PKI-related information 



25 [0092] FIG. 2 shows a data structure of an ECM generated by 
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the ECM generation section 102 of the distribution device 100. 
In FIG. 2, the ECM includes a section header, an ECM main part, 
and error detection information (a section tailer) in an ECM section . 
The ECM main part is formed of a content key (or a scramble key) , 
5 a latest CRL version number, variable-length private data, and 
manipulation detection information. Herein, the latest CRL 
version number indicates the version number of the latest CRL. 
The latest CRL version number indicates the PKI-related information 
acquisition instruction added by the ECM generation section 102. 
10 [0093] FIG. 3 is a flowchart showing an operation of the 
distribution device 100 and the terminal device 200 in the 



in 



formation distribution system according to the first embodiment . 
Hereinafter, with reference to FIG. 3, the operation of the 
distribution device 100 and the terminal device 200 in the 
15 information distribution system according to the first embodiment 
will be described. 

[0094] First, the PKI-related information acquisition 
instruction addition determination section 104 of the distribution 
device 100 determines whether or not the CRL stored in the 

20 PKI-related information accumulation section 105 has been updated 
(stepSlOl) . The PKI-related information acquisition instruction 
addition determination section 104 holds the latest time and date 
at which the PKI-related information acquisition instruction was 
added (hereinafter, referred to as the "PKI-related information 

25 acquisition instruction addition time and date), and the 
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PKI-related information accumulation section 105 holds the time 
anddate at which the CRL of the current (latest) version was updated. 
Accordingly, the PKI-related information acquisition instruction 
addition determination section 104 can determine whether or not 
5 the CRL has been updated, i.e. , whether or not the terminal device 
200 should be instructed to acquire the latest CRL, by comparing 
the PKI-related information acquisition instruction addition time 
and date held therein with the update time and date of the CRL 
of the current version. Or, even in the case where the update 
10 time and date of the CRL is not held, it can be determined whether 
or not the CRL has been updated by controlling the version numbers 
to be provided to the CRLs in an ascending order or a descending 
order. 

[0095] In the above description, it is determined whether or 
15 not the CRL has been updated by using the update time and date 
of the CRL. Alternatively, it may be determined whether or not 
the CRL has been updated by storing the version number of the last 
CRL which was transmitted in the PKI-related information 
acquisition instruction addition determination section 104 and 
20 comparing the version number stored therein with the version number 
of the latest CRL in the PKI-related information accumulation 
section 105 . In this case, step S102 is executed before step SlOl . 
[0096] When it is determined that the CRL has not been updated, 
i.e., when the PKI-related information acquisition instruction 
25 addition time and date is newer than the update time and date of 
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the latest version CRL, the ECM generation section 102 determines 
that it is not necessary to instruct acquisition of the PKI-related 
information and generates an ECM with no PKI-related information 
acquisition instruction. Then, the processing goes to step S104 . 



5 It is possible to issue a PKI-related information acquisition 
instruction for a certain period even when the PKI-related 
information acquisition instruction addition time and date is newer 
than the update time and date of the latest version CRL. 
[0097] By contrast, when it is determined that the CRL has been 
10 updated, i.e., when the PKI-related information acquisition 
instruction addition time and date is older than the update time 
and date of the latest version CRL, the PKI-related information 
acquisition instruction addition determination section 104 
determines that it is necessary to instruct acquisition of the 
15 PKI-related information, reads the latest CRL version number from 
the CRL accumulated in the PKI-related information accumulation 
section 105, and transfers the latest CRL version number to the 
ECM generation section 105 (step S102) . Next, the ECM generation 
section 102 reads the ECM information stored in the ECM information 
20 accumulation section 101, and adds the CRL version number acquired 
in step S102 to the readECM information as a PKI-related information 
acquisition instruction to generate an ECM (step S103) . Then, 
the processing goes to step S104. An ECM is information which 
is transmitted for each content. Since the user does not 
25 necessarily view all the contents, it may be determined whether 
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the PKI-related information acquisition instruction is to be added 
or not for each content . 

[0098] In step S104, the broadcast signal multiplex and 
transmission section 103 broadcasts the generated ECM as being 
5 multiplexed to the content. 

[0099] The broadcast signal receiving and separation section 
202 of the terminal device 200 selects a channel of the signal 
to be received, and transfers the ECM to the ECM acquisition section 
204 (step S201) . 

10 [0100] Next, the PKI-related information acquisition 
determination request section 205 determines whether or not the 
ECM acquired by the ECM acquisition section 204 includes the latest 
CRL version number, and thus determines whether or not the 
PKI-related information acquisition instruction has been issued 

15 (step S202) . 

[0101] When no PKI-related information acquisition 
instruction has been issued, the terminal device 200 terminates 
the processing regarding the PKI-related information acquisition . 
In parallel with this, the terminal device 200 reproduces the 

20 content in a content utilization section (not shown) . 

[0102] By contrast, when the PKI-related information 
acquisition instruction has been issued, the PKI-related 
information acquisition determination request section 205 
acquires the version number of the CRL stored in the PKI-related 

25 information holding section 206 (step S203) . 
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[0103] Next, the PKI-related information acquisition 
determination request section 205 compares the latest CRL version 
number included in the ECM with the version number of the CRL held 
by the PKI-related information holding section 206, and thus 
5 determines whether or not the held CRL is the latest CRL (step 
S204) . 

[0104] When the held CRL is the latest CRL, the terminal device 
200 terminates the processing. Inparallel with this, the terminal 
device reproduces the content in the content utilization section 

10 (not shown) . 

[0105] By contrast, when the held CRL is not the latest CRL, 
the PKI-related information acquisition determination request 
section 205 then causes the second communication section 207 to 
issue a PKI-related information acquisition request for 

15 transmitting the latest CRL (step S205) . 

[0106] In accordance with this, the distribution device 100 
receives the PKI-related information acquisition request (step 
S105) . Next, the information acquisition request processing 
section 106 acquires the latest CRL from the PKI-related 

20 information accumulation section 105 and causes the first 
communication section 107 to transmit the CRL to the terminal device 
200 (step S106) . 

[0107] In accordance with this, the second communication 
section 207 of the terminal device 200 receives the latest CRL 
25 and transfers the CRL to the PKI-related information update section 
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208 (stepS206). Next, the PKI-related information update section 
208 updates the CRL stored in the PKI-related information holding 
section 206 into the latest CRL (step S207) and terminates the 
processing. In parallel with this, the terminal device 200 
5 reproduces the content in the content utilization section (not 
shown) . 

[0108] As described above, according to the first embodiment, 
when the CRL is updated in the distribution device, an ECM including 
a PKI-related information acquisition instruction is broadcast 

10 from the distribution device to the terminal device. Each time 
the terminal device receives an ECM, the terminal device determines 
whether or not the ECM includes a PKI-related information, 
acquisition instruction. When the ECM includes a PKI-related 
information acquisition instruction, the terminal device receives 

15 the latest CRL from the distribution device via communication, 
and updates the CRL held therein into the latest CRL . Accordingly, 
when the CRL is updated in the distribution device, the terminal 
device necessarily acquires the latest CRL in response to the use 
of the ECM, i.e., in response to the use of the content. In this 

20 manner, a system for allowing, with certainty, the terminal device 
to acquire the PKI-related information, which is distributed 
without any association with the use of the content, is provided. 
Thus, the security is guaranteed and also the cost for distributing 
the PKI-related information is reduced. 

25 [0109] In the first embodiment, the distribution device and 
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the terminal device both include a functional block. 
Alternatively, the distribution device and/or the terminal device 
may be implemented by causing a multiple purpose computer device 
including a CPU, a communication device, a memory device and the 
5 like to execute a program for realizing the operation flow shown 
in FIG. 3. 

[0110] Each of the functional blocks of the distribution device 
and the terminal device may be implemented by a plurality of 
integrated circuits or one integrated circuit. 
10 [0111] Preferably, PKI-related information is transmitted via 

a secure communication channel by a protocol referred to as SAC 
(Secure Authenticated Channel) . 

[0112] In order to acquire PKI-related information, a terminal 
device needs to be mutually connected with the distribution device . 

15 A connection destination to which the terminal device connects 
can be designated together with the PKI-related information 
acquisition instruction or separately from the PKI-related 
information acquisition instruction, or may be designated in the 
terminal device in advance by being written in a memory or the 

20 like in the terminal device at the time of, for example, shipment 
of the terminal device. 

[0113] In the first embodiment, the PKI-related information 
is acquired from the distribution device. Alternatively, the 
terminal device may acquire the PKI-related information from 
25 another terminal in a home network (including a home server) . 
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[0114] In the first embodiment, the ECM includes a PKI-related 
information acquisition instruction. Alternatively, the 
PKI-related information acquisition instruction may be included 
in information required for using the content, for example, an 
5 EMM (Entitlement Management Message: individual information) 
transmitted for each user (for each terminal device) , an ECM for 
distributing ECM-Kc and Kc and an EMM for distributing Kc of Type 
I (stream-type accumulated content) of the server-basedbroadcast, 
or ACI (Account Control Information) of Type II content (file-type 
10 accumulated content) of the server-based broadcast. 

[0115] Namely, in the first embodiment, the distribution device 
may transmit a PKI-related information acquisition instruction 
together with information required for using the content, and the 
terminal device may acquire the latest PKI-related information 



15 when receiving the PKI-related information acquisition 
instruction transmitted from the distribution device. 
[0116] (Second Embodiment) 

FIG . 4 is a block diagram showing a functional structure 
of an information distribution system according to a second 
20 embodiment of the present invention. In FIG. 4, the information 
distribution system includes a distribution device 110 and a 
terminal device 210. One terminal device 210 is shown in FIG. 4, 
but two or more terminal devices 210 may be provided. In such 
a case, each terminal device needs to be able to receive broadcast 
25 from the distribution device 110. 
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[0117] The distribution device 110 includes an ECM information 
accumulation section 101, an ECM generation section 102, a 
broadcast signal multiplex and transmission section 113, a 
PKI-related information acquisition instruction addition 
5 determination section 104, a PKI-related information accumulation 
section 105, and a PKI-related information reading section 111. 
In the distribution device 110 shown in FIG- 4, the elements having 
the identical functions to those in the distribution device 100 
according to the first embodiment bear identical reference numerals 
10 thereto, and the descriptions thereof will be omitted. 

* 

[0118] The PKI-related information reading section 111 reads 
PKI-related information from the PKI-related information 
accumulation section 105, and transfers the PKI-related 
information to the broadcast signal multiplex and transmission 

15 section 113. 

[0119] The broadcast signal multiplex and transmission section 
113 broadcasts the content, an ECM generated by the ECM generation 
section 102, and the PKI-related information read by the 
PKI-related information reading section 111 as being multiplexed 

20 to one another. The PKI-related information is separately 
distributed by a frequency band referred to as an engineering slot, 
and finally transmitted as being multiplexed to a broadcast wave. 
[0120] The terminal device 210 includes a channel selection 
section 201, a broadcast signal receiving and separation section 

25 212, an ECM acquisition section 204, a PKI-related information 
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acquisition determination request section 205, a PKI-related 
information holding section 20 6, a PKI-related information update 
section 208, and a PKI-related information selective receiving 
section 211. In the terminal device 210 shown in FIG. 4, the 
5 elements having the identical functions to those in the terminal 
device 200 according to the first embodiment bear identical 
reference numerals thereto, and the descriptions thereof will be 
omitted. 

[0121] The broadcast signal receiving and separation section 
10 212 separates the content in the channel selected by the channel 
selection section 201, the ECM, and the PKI-related information 
from one another. In accordance with an instruction from the 
PKI-related information selective receiving section 211, the 
broadcast signal receiving and separation section 212 transfers 
15 the separated PKI-related information to the PKI-related 
information selective receiving section 211. 

[0122] In response to a PKI-related information acquisition 
request from the PKI-related information acquisition 
determination request section 205, the PKI-related information 
selective receiving section 211 requests the broadcast signal 
receiving and separation section 212 to transfer the PKI-related 
information separated from the broadcast signal . Even when there 
is no PKI-related information acquisition instruction from the 
distribution device 200, the PKI-related information selective 
25 receiving section 211 acquires PKI-related information steadily 
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multiplexed to a broadcast signal from the broadcast signal 
receiving and separation section 212. 

[0123] FIG. 5 shows a data structure of an ECM generated by 
the ECM generation section 102 of the distribution device 110. 
5 In FIG. 5, the ECM includes a section header, an ECM main part, 
anderror detection information (a section tailer) in an ECM section 
The ECM main part is formed of a content key, a PKI-related 
information acquisition instruction flag, variable-length 
private data, and manipulation detection information. The 

10 PKI-related information acquisition instruction flag indicates 
the PKI-related information acquisition instruction. 
[0124] FIG. 6 is a flowchart showing an operation of the 
distribution device 110 and the terminal device 210 in the 
information distribution systemaccording to the second embodiment 

15 Hereinafter, with reference to FIG. 6, the operation of the 
distribution device 110 and the terminal device 210 in the 
information distribution system according to the first embodiment 
will be described. 
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[0125] First, the PKI-related information acquisition 
instruction addition determination section 104 of the distribution 
device 110 determines whether or not the CRL stored in the 
PKI-related information accumulation section 105 has been updated 
(step S301) . How to determine whether or not the CRL has been 
updated is substantially the same as that described regarding step 
25 SlOl of FIG. 3 in the first embodiment, and will be omitted here. 
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[0126] When it is determined that the CRL has not been updated, 
the ECM generation section 102 generates an ECM with no PKI-related 
information acquisition instruction. Then, the processing goes 
to step S303. 

5 [0127] By contrast, when it is determined that the CRL has been 
updated, the ECM generation section 102 reads the ECM information 
stored in the ECM information accumulation section 101, and adds 
a flag indicating the PKI-related information acquisition 
instruction (PKI-related information acquisition instruction 
10 flag) , which instructs update of the CRL, to the ECM information 
to generate an ECM (step S302) . Then, the processing goes to step 
S303. 

[0128] In step S303, the broadcast signal multiplex and 
transmission section 113 broadcasts the generatedECM, the content, 
15 and the PKI-related information read by the PKI-related information 
reading section 111 as being multiplexed to one another. 
[0129] The broadcast signal receiving and separation section 
212 of the terminal device 200 selects a channel of the signal 
to be received, and transfers the ECM to the ECM acquisition section 

20 204 (step S401) . 

[0130] Next, the PKI-related information acquisition 
determination request section 205 determines whether or not the 
ECM acquired by the ECM acquisition section 204 includes the 
PKI-related information acquisition instruction flag, and thus 

25 determines whether or not the PKI-related information acquisition 
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instruction has been issued (step S402) . 

[0131] When no PKI-related information acquisition 
instruction flag is included, the terminal device 200 terminates 
the processing regarding the PKI-related information acquisition . 
5 In parallel with this, the terminal device 210 reproduces the 
content in a content utilization section (not shown) . 
[0132] By contrast, when the PKI-related information 
acquisition instruction flag is included, the PKI-related 
information acquisition determination request section 205 

10 transfers a PKI-related information acquisition request to the 
PKI-related information selective receiving section 211. In 
accordance with this, the PKI-related information selective 
receiving section 211 causes the broadcast signal receiving and 
separation section 212 to select a channel of an engineering slot 

15 (step S403) . Next, the PKI-related information selective 
receiving section 211 acquires the latest CRL from the selected 



channel (step S404). Next, the PKI-related information update 
section 208 stores the latest CRL acquired by the PKI-related 
information selective receiving section 211 in the PKI-related 

20 information holding section 206, updates the CRL (step S405) , and 
terminates the processing. In parallel with this, the terminal 
device 210 reproduces the content in the content utilization 
section (not shown) . In the processing of updating the CRL in 
step S405, the CRL held in the PKI-related information holding 

25 section 206 may be overwritten. Or, in the case where the CRL 
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does not need to be updated as a result of comparison of the CRL 
version numbers, the CRL may be kept non-overwritten. 
[0133] As described above, according to the second embodiment , 
the distribution device constantly distributes the latest CRL in 
5 an engineering slot, and the terminal device usually receives a 
TS of the engineering slot appropriately, for example, at a certain 
time interval, and updates the CRL. In addition, when the CRL 
is updated, the distribution device broadcasts a PKI-related 
information acquisition instruction flag as being added to the 

10 ECM. When the ECM includes the PKI-related information 
acquisition instruction flag, the terminal device which received 
the ECM acquires the latest CRL from the engineering slot and updates 
the PKI-related information held therein. Accordingly, when the 
CRL is updated in the distribution device, the terminal device 

15 necessarily acquires the latest CRL. In this manner, a system 
for allowing, with certainty, the terminal device to acquire the 
PKI-related information, which is distributed without any 
association with the use of the content, is provided. Thus, the 
security is guaranteed and also the cost for distributing the 

20 PKI-related information is reduced. 

[0134] In the second embodiment, the distribution device and 
the terminal device both include a functional block. 
Alternatively, the distribution device and/or the terminal device 
may be implemented by causing a multiple purpose computer device 

25 including a CPU, a communication device, a memory device and the 
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like to execute a program for realizing the operation flow shown 
in FIG. 6. 

[0135] In the second embodiment, a PKI-related information 
acquisition instruction flag may be included in the ECM. When 
5 the PKI-related information acquisition instruction flag is 
included, the terminal device necessarily selects a channel of 
an engineering slot. Alternatively, the version number, size, 
and updating time and date of the CRL may be included in the ECM. 
In this case, the terminal device compares the version number, 

10 size, and updating time and date of the CRL held therein with the 
version number, size, and updating time and date of the CRL included 
in the ECM. When it is determined that the CRL needs to be updated 
as a result of the comparison, the terminal device selects a channel 
of an engineering slot. As described above, the PKI-related 

15 information acquisition instruction encompasses an explicit 
instruction such as a flag or the like and also an implicit 
instruction such as a CRL version number or the like. 
[0136] Namely, in the second embodiment, the distribution 



device may transmit a PKI-related information acquisition 
20 instruction together with information required for using the 
content (ECM), and the terminal device may acquire the latest 
PKI-related information when receiving the PKI-related 
information acquisition instruction transmitted from the 
distribution device. The information required for using the 
25 content which is sent together with the PKI-related information 
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acquisition instruction may be information other than an ECM. 
[0137 ] Each of the functional blocks of the distribution device 
and the terminal device may be implemented by a plurality of 
integrated circuits or one integrated circuit. 
5 [0138] In the second embodiment, the PKI-related information 
is broadcast in an engineering slot- Alternatively, the 
PKI-related information may be broadcast as being included in a 
private section of the broadcast or in a data carousel of the 
broadcast. From which channel the PKI-related information is to 

10 be acquired may be designated together with the PKI-related 
information acquisition instruction or separately from the 
PKI-related information acquisition instruction, or may be 
designated in the terminal device in advance by being written in 
a memory or the like in the terminal device at the time of, for 

15 example, shipment of the terminal device. 
[0139] (Third Embodiment) 

FIG. 7 is a block diagram showing a functional structure 
of an information distribution system according to a third 
embodiment of the present invention. In FIG. 7, the information 

20 distribution system includes a distribution device 120 and a 
terminal device 220. One terminal device 220 is shown in FIG. 7, 
but two or more terminal devices 220 may be provided. In such 
a case, each terminal device needs to be able to receive broadcast 
from the distribution device 120 and to be communicable with the 

25 distribution device 120 via a communication network. 
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[0140] The distribution device 120 includes a PKI-related 
information reading section 121, a broadcast signal multiplex and 
transmission section 122, a PKI-related information accumulation 
section 105, an information acquisition instruction addition 
5 determination section 123, an information acquisition request 
processing section 124, a first communication section 107, and 
a license accumulation section 125. In the distribution device 
120 shown in FIG. 7, the elements having the identical functions 
to those in the distribution device 100 according to the first 
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embodiment bear identical reference numerals thereto, and the 
descriptions thereof will be omitted. 

[0141] The license accumulation section 125 stores, for each 
user, license information required for reproducing a content. 
[0142] When a license information transmission request is 



15 issued by the terminal device 220, the information acquisition 
request processing section 124 acquires the license information 
of the corresponding user stored in the license accumulation 
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ction 125. When the license information transmission request 



is issued by the terminal device 220, the information acquisition 
request processing section 124 also causes the information 
acquisition instruction addition determination section 123 to 
determine whether or not the CRL has been updated. 
[0143] In response to the request from the information 
acquisition request processing section 124, the information 
25 acquisition instruction addition determination section 123 refers 
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to the PKI-related information accumulation section 105 to 
determine whether or not the CRL has been updated. When the CRL 
has been updated, the information acquisition instruction addition 
determination section 123 transfers the size of the latest CRL 
5 to the information acquisition request processing section 124 as 
PKI-related information acquisition instruction information. It 
should be noted that the entry of an invalidity certificate 
described in the CRL is assumed to increase in a monotone increase 
manner . 

10 [0144] Here, the information acquisition instruction addition 
determination section 123 determines whether or not the CRL has 
been updated. The present invention is not limited to this, and 
an information acquisition instruction may be added based on other 
determination criteria. It is conceivable to add an information 

15 acquisition instruction, for example, periodically, based on a 
frequency (interval) at which the information acquisition 
instruction is added, or based on the type of license to be acquired, 
the license acquisition frequency of each user or the like. 
[0145] The information acquisition request processing section 

20 124 causes the first communication section 107 to transmit a 
communication message, obtained by adding the license information 
acquired from the license accumulation section 125 and the size 
of the latest CRL from the information acquisition instruction 
addition determination section 123, to the terminal device 220. 

25 The communicationmessage is transmitted via a secure communication 
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channel referred to as an SAC protocol. 

[0146] The PKI-related information reading section 121 reads 
the latest CRL from the PKI-related information accumulation 
section 105, and transfers the latest CRL to the broadcast signal 
5 multiplex and transmission section 122. 

[0147 ] The broadcast signal multiplex and transmission section 
122 broadcasts the CRL from the PKI-related information reading 
section 121 as being multiplexed to the content, such that the 
latest CRT is included in the engineering slot. Here, the 

10 PKI-related information (CRL) is multiplexed to the content. 
Alternatively, the PKI-related information may be multiplexed to 
a signal other than the content as long as the PKI-related 
information is multiplexed to the broadcast signal. 
[0148] The terminal device 220 includes a broadcast signal 

15 receiving and separation section 221, a PKI-related information 
selective receiving section 222, a PKI-related information update 
section 223, a PKI-related information acquisition determination 
request section 224, a PKI-related information holding section 
206, a license information acquisition section 225, a second 

20 communication section 207, and a license request section 226. In 
the terminal device 220 shown in FIG. 7, the elements having the 
identical functions to those in the terminal device 200 according 
to the first embodiment bear identical reference numerals thereto, 
and the descriptions thereof will be omitted. 

25 [0149] In response to a request from the user, the license 
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request section 226 requests the distribution device 120 to 
transmit the license information via the second communication 
section 207. In FIG. 7, a functional block for receiving a license 
acquisition request from the user and transferring the request 
5 to the license request section 226 is omitted. 

[0150] The license information acquisition section 225 
acquires the license information included in the communication 
message received by the second communication section 207, and 
transfers the size of the latest CRL included in the communication 
10 message to the PKI-related information acquisition determination 
request section 224. 

[0151] The PKI-related information acquisition determination 
request section 224 compares the received size of the latest CRL 
with the size of the CRL stored in the PKI-related information 

15 holding section 206, and thus determines whether or not the stored 
CRL is older. When the stored CRL is older, the PKI-related 
information acquisition determination request section 224 causes 
the PKI-related information selective receiving section 222 to 
acquire the PKI-related information. 

20 [0152] The broadcast signal receiving and separation section 
221 separates the channel of the content from the channel of the 
engineering slot or the like. 

[0153] In accordance with an instruction from the PKI-related 
information acquisition determination request section 224, the 
25 PKI-related information selective receiving section 222 acquires 
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the PKI-related information from the engineering slot separated 
by the broadcast signal receiving and separation section 221, and 
transfers the PKI-related information to the PKI-related 
information update section 223, 
5 [0154] The PKI-related information update section 223 stores 
the acquired PKI-related information in the PKI-related 
information holding section 206 and updates the CRL. 
[0155] FIG. 8 shows a data structure of a communication message 
transmitted from the distribution device 120. In FIG. 8, the 

10 communication message includes a message identifier, a latest CRL 
size, and license information. The message identifier is a code 
for identifying the message in the SAC. The latest CRL size is 
information indicating the size of the latest CRL. The license 
information is information including an encryption key (content 

15 key) for decrypting the content, use conditions of the content 
and the like. Here, the latest CRL size indicates the PKI-related 
information acquisition instruction. 

[0156] FIG. 9 is a flowchart showing an operation of the 
distribution device 120 and the terminal device 220 in the 
20 information distribution systemaccording to the third embodiment . 
Hereinafter, with reference to FIG- 9, the operation of the 
distribution device 120 and the terminal device 220 in the 
information distribution system according to the third embodiment 

will be described. 
25 [0157] First, upon receiving a request from the user, the 
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license request section 226 of the terminal device 220 requests 
the distribution device 120 to the transmit license information 
(step S601) . 

[0158] The information acquisition request processing section 
5 124 of the distribution section 120 receives the license 
information transmission request from the terminal device 220 via 
the first communication section 107 (step S501) . When the 
requested license information of the user (or the corresponding 
terminal device 200) is not stored in the license accumulation 
10 section 125 at this point, the information acquisition request 
processing section 124 returns an error to the terminal device 
200. 

[0159] Next, the information acquisition instruction addition 
determination section 123 refers to the PKI-related information 
15 accumulation section 105 to determine whether or not the CRL has 
been updated (step S502) . How to determine whether or not the 
CRL has been updated is substantially the same as that described 
regarding step SlOl of FIG. 3 in the first embodiment, and will 
be omitted here. 

20 [0160] When it is determined that the CRL has not been updated, 
the information acquisition request processing section 124 
generates a communication message including the license 
information but not including the latest CRL size. Then, the 
processing goes to step S505. 

25 [0161] By contrast, when it is determined that the CRL has been 
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updated, the information acquisition addition determination 
section 123 reads the size of the latest CRL stored in the PKI-related 
information accumulation section 105 (step S503) . Next, the 
information acquisition request processing section 124 adds the 
5 acquired size to the license information read from the license 
accumulation section 125 to generate a communication message (step 
S504) . Then, the processing goes to step S505. 
[0162] In step S505, the distribution device 120 transmits the 
communication message to the terminal device 220. 

10 [0163] The license information acquisition section 225 of the 
terminal device 220 receives the communication message transmitted 
from the distribution device 120 to acquire the license information 
and the latest CRL size, and transfers the latest CRL size to the 
PKI-related information acquisition determination request 

15 section 224 (step S602) . 

[0164] Next, the PKI-related information acquisition 
determination request section 224 refers to the PKI-related 
information holding section 206 to acquire the size of the CRL 
held therein (step S603) . Next, the PKI-related information 

20 acquisition determination request section 224 determines whether 
or not the size of the CRL held by the terminal device is smaller 
than the latest CRL size (step S604) • In the case where the size 
of the CRL increases in a monotone increase manner, a smaller CRL 
size indicates an older CRL. 

25 [0165] When the size of the held CRL is not smaller than the 
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latest CRL size, the held CRL is not older. The terminal device 
220 reproduces the content using the license information acquired 
by the license information acquisition section 225, and terminates 
the processing. 

5 [0166] By contrast, when the size of the held CRL is smaller 
than the latest CRL size, the held CRL is older. The PKI-related 
information acquisition determination request section 224 causes 
the PKI-related information selective receiving section 222 to 
select a channel of an engineering slot (step S605) , and to acquire 
10 the latest CRL (step S606) . Then, the PKI-related information 
update section 223 stores the acquired latest CRL in the PKI-related 
information holding section 206 and updates the CRL (step S607) . 



In parallel with the PKI-related information acquisition 
processing, the terminal device 220 reproduces the content using 
15 the license information acquired by the license information 
acquisition section 225, and terminates the processing. 
[0167] As described above, according to the third embodiment, 
a situation where the latest PKI-related information is constantly 
broadcast from the distribution device is provided. In this 
20 situation, when the terminal device issues a license information 
transmission request, the distribution device determines whether 
or not the CRL has been updated. When the CRL is updated, the 
distribution device transmits the license information, with a 
PKI-related information acquisition instruction added thereto, 
25 to the terminal device. When the distribution device has issued 
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the PKI-related information acquisition instruction, the terminal 
device acquires the broadcast PKI-related information and updates 
the CRL. Accordingly, when the CRL is updated in the distribution 
device, the terminal device necessarily acquires the latest CRL 
5 and then uses the content using the license information. In this 
manner, a system for allowing, with certainty, the terminal device 
to acquire the PKI-related information, which is distributed 
without any association with the use of the content, is provided. 
Thus, the security is guaranteed and also the cost for distributing 

10 the PKI-related information is reduced. 

[0168] Namely, in the third embodiment, the distribution device 
may transmit a PKI-related information acquisition instruction 
together with information required for using the content (license 
information) , and the terminal device may acquire the latest 

15 PKI-related information when receiving the PKI-related 
information acquisition instruction transmitted from the 
distribution device. The information required for using the 
content which is sent together with the PKI-related information 
acquisition instruction may be information other than license 

20 information. 

[0169] In the third embodiment, the distribution device and 
the terminal device both include a functional block. 
Alternatively, the distribution device and/or the terminal device 
may be implemented by causing a multiple purpose computer device 

25 including a CPU, a communication device, a memory device and the 
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like to execute a program for realizing the operation flow shown 
in FIG. 9. 

[0170] Each of the functional blocks of the distribution device 
and the terminal device may be implemented by a plurality of 
5 integrated circuits or one integrated circuit. 

[0171] In the third embodiment, the PKI-related information 
selective receiving section 222 may acquire the PKI-related 
information in accordance with an instruction from the user and 
cause the PKI-related information update section 223 to update 

10 the PKI-related information. 

[0172] In the third embodiment, as shown in FIG. 8, a 
PKI-related information acquisition instruction is added to the 
license information. Alternatively, the PKI-related information 
acquisition instruction may be included in the message transferred 

15 on the SAC protocol. The PKI-related information acquisition 
instruction may be included in the license, which is one of the 
messages transmitted on the SAC protocol. 

[0173] In the third embodiment, the PKI-related information 
is broadcast in an engineering slot. Alternatively, the 

20 PKI-related information may be broadcast as being included in a 
private section of the broadcast or in a data carousel of the 
broadcast. From which channel the PKI-related information is to 
be acquired may be designated together with the PKI-related 
information acquisition instruction or separately from the 

25 PKI-related information acquisition instruction, or may be 
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designated in the terminal device in advance. 
[0174] (Other Embodiments) 

In the first through third embodiments, as the 
PKI-related information acquisition instruction, the latest CRL 
version number (see FIG. 2), the PKI-related information 
acquisition instruction flag (see FIG. 5) or the latest CRL size 



(see FIG. 8) is used. The PKI-related information acquisition 
instruction may be either the expiration time, creation time and 
date, or the number of certificate entries of the PKI-related 



10 information. The PKI-related information acquisition 

instruction conceptually encompasses such implicit instructions . 
In such a case also, the terminal device may determine whether 
or not to acquire the PKI-related information by comparing the 
PKI-related information with the expiration time, creation time 
15 and date, or the number of certificate entries of the old CRL stored 
in the terminal device . The terminal device may determine whether 
or not to acquire the PKI-related information based on a combination 
of these factors. 

[0175] The information to be transmitted together with the 
20 PKI-related information acquisition instruction is not limited 
to the above-mentioned information, and may be any information 
required for using the content. By the PKI-related information 
acquisition instruction being transmitted together with 
information required for using the content, the terminal device 
25 can acquire the PKI-related information in association with the 
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use of the content, and also can receive the PKI-related information 
to be forcibly acquired with certainty. 

[0176] In the first through third embodiments, the terminal 
device acquires the PKI-related information immediately after 
5 determining that a . PKI-related information acquisition 
instruction has been issued (see step S205 in FIG. 3, step S404 
in FIG. 5, and step S606 in FIG. 9) . Alternatively, the terminal 
device may acquire the PKI-related information a certain time after 
determining that a PKI-related information acquisition 

10 instruction has been issued. In this case, the timing to acquire 
the PKI-related information may be dispersed among terminals. 
[0177] In the first through third embodiments, when the 
distribution device or the user issues a PKI-related information 
acquisition instruction, the terminal device acquires the 

15 PKI-related information. Alternatively, the terminal device may 
acquire the PKI-related information periodically. The timing of 
periodical acquisition of the PKI-related information may be 
designated based on the time interval or the time/date, or based 
on the number of times that the license is used or the number of 

20 times that meta data is used. Such timing may be set in advance 
in the terminal device by being written in a memory or the like 
in the terminal device at the time of, for example, shipment of 
the terminal device, or may be set such that the timing can be 
updated via broadcast or communication. 

25 [0178] In the first through third embodiments, a CRL is used 
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as the PKI-related information. Alternatively, a public key 
certificate may be distributed as the PKI-related information. 
In this case, the public key certificate may be a public key 
certificate for mutual authentication for establishing a SAC with 
5 another entity such as the distribution device, the terminal device 
or the like, or may be a public key certificate added to a meta 
data or the like for signature verification. 

[0179] The PKI-related information may be distributed for each 
broadcaster in an ECM, EMM, license or the like, or may be commonly 
10 distributed for all the broadcasters using an engineering slot 
or the like. 

[0180] When PKI-related information cannot be acquired by a 
disturbance or the like, the terminal device may re-try to acquire 
the PKI-related information a plurality of times. When the 

15 PKI-related information cannot be acquired although re-tries are 
performed N (> 0) times, the terminal device may display a warning 
message to the user (for example, "please check the communication 
connection", "please select channel A", etc. ) . The re-tries may 
be restricted in terms of the number of times as described above 

20 or the time period, or a combination thereof. The restriction 
on the number of times or the time period may be updated via broadcast 
or communication, or may be fixed as a system. 

[0181] When the PKI-related information cannot be acquired 
after re-tries, the terminal device may finally lock at least a 
25 part of functions regarding the use of the contents or the like. 
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In this case also, the terminal device may display a notification 
message to the user (for example, "the use of the contents is 
temporarily disabled because the communication connection cannot 
be confirmed", "please contact broadcast station A", etc.)- 
5 [0182] In the first through third embodiments, the distribution 
device determines whether or not to issue a PKI-related information 
acquisition instruction. Alternatively, the PKI-related 
information acquisition instruction may be constantly issued, and 
the terminal device may determine whether or not the PKI-related 

10 information needs to be acquired when necessary. 

[0183] In the first through third embodiments, the distribution 
device determines whether or not the PKI-related information has 
been updated, and instructs the terminal device to acquire the 
PKI-related information when the PKI-related information has been 

15 updated. The present invention is not limited to this. For 
example, the distribution device may periodically instruct 
acquisition of the PKI-related information for a certain period 
of time. 

[0184] In the case where both the CRL and the public key 
20 certificate are distributed as the PKI-related information, the 
PKI-related information acquisition instruction may include 
identification information which indicates, for example, whether 
that particular instruction is to acquire the CRL, to acquire the 
public key certificate or to acquire both. 
25 [0185] The above embodiments are given regarding a system for 
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forcibly acquiring PKI-related information. The present 
invention is applicable to a system for forcibly acquiring 
information. For example, the distribution device may distribute 
licenses including contract information, contents, meta data, 
5 programs, secure time information or the like instead of 
PKI-related information, and the terminal device may acquire such 
information based on the acquisition instruction transmitted from 
the distribution device. 

[0186] The information transmission system for the PKI-related 
10 information or the PKI-related information acquisition 
instruction according to the present invention is not limited to 
transmission systems by a so-called broadcast wave, such as the 
BS digital broadcast, digital CATV or the like, andmay be a broadcast 
or multicast transmission system using ADSL (Asymmetric Digital 
15 Subscriber Line), FTTH (Fiber to the Home), the Internet or the 
like . 

[0187] The distribution device may distribute the contents 
using a signal other than the broadcast wave. For example, 
distribution device may distribute the contents using ADSL, FTTH, 
20 or the like. Namely, any distribution method is usable for 
distributing the contents. 

[0188] While the invention has been described in detail, the 
foregoing description is in all aspects illustrative and not 
restrictive. . It is understood that numerous other modifications 
25 and variations can be devised without departing from the scope 



of the invention. 
INDUSTRIAL APPLICABILITY 

[0189] An information distribution system, and a terminal 
device and a distribution device used for the same according to 
the present invention can allow, with certainty, the terminal 
device to acquire PKI-related information, which is distributed 
without any association with the use of the content, and are useful 
in the fields of content distribution and the like. 



